Is anyone monitoring for the start and end of SCEP scans? I’m trying to convince our Windows Engineering team and Security that the Full Weekly Scans aren’t effective on large disks, but I need to be able to show how long they are taking. We’ve observed that some will go on over 1 week, resulting in the subsequent failure of the next scheduled weekly Full scan. I’m also working on the theory that while SCEP is occupied wasting its time on a Full scan, it’s not updating its definition files because I work the compliance issues on systems with DEF’s over 5 days and every single one of them is running a Full scan when I log in. The GUI isn’t helpful because it shows the session time as the start of the scan.
I haven’t dug too deeply into this, so there’s a chance I’m missing something obvious.
Edit: I could just do a process monitor, but I was hoping more for an event based monitor solution; still digging.
Hi as far as i know does SCEP write scan Logs under:
%allusersprofile%\Microsoft\Microsoft Antimalware\Support—Log files specific for the antimalware service
%allusersprofile%\Microsoft\Microsoft Security Client\Support—Log files specific for the SCEP client software
%windir%\WindowsUpdate.log—Windows Update log files, which include information about definition updates
%windir%\CCM\Logs\EndpointProtectionagent.log – Shows Endpoint version and policies applied
%windir%\temp\MpCmdRun.log – Activity when performing scans and signature updates
%windir%\temp\MpSigStub.log – Update progress for signature and Engine updates
For Monitoring these logs you can use the NICE Log Monitoring Management Pack.
Maybe you can find in one of these logs a start and end Marker.